ScreenOS Firewalls (NOT SRX)
Reply
New User
astanislaus
Posts: 3
Registered: ‎07-04-2008
0

AUthentication Window does not pop-up

1.       Initiate HTTPS from browser – No authentication window.

2.       Get auth table – No users in table.

3.       After several attempts on HTTPS, we tried to initiate HTTP from browser – Authentication window received

4.       Get auth table – One user was seen

 

=========================================================================================

 

  • A detailed description of the problem:
-       We configured authentication on advance policy settings on a certain FW policy on Netscreen. We were able to receive an authentication window on HTTP but failed on HTTPS, PING and Traceroute.
  • Model of the firewall you have
-       SSG-550
  • Exact software version
-       5.1.0r4c.6_ssg 
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: AUthentication Window does not pop-up

Hi,

 

Actually inline authentication (run time authentication) works for only telnet, ftp and http traffic. If u want to use inline authentication for other traffic like https, ssh etc. Do one thing make a service group, add all ur desired services (https, ssh) AND one or all three services (ftp, http, telnet) also in that service group. Use this service group in policy from untrust to trust. Now u can use inline authentication for https, ssh etc.

 

Please let me know this solves ur problem?

 

Thanks

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Contributor
7wonders
Posts: 33
Registered: ‎07-08-2008
0

Re: AUthentication Window does not pop-up

Thanks Rana, i am also facing a same issue, could you please help in commands as well?

 

thanks

 

- Ray

Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008
0

Re: AUthentication Window does not pop-up

Hi,

 

Kashif-rana is correct you can't do pop up authentication with HTTPS, adding http, telnet or ftp to the policy to authenticate the user is a work around, but it is not very secure are you are opening up a port that is not wanted through that policy.

 

As of 6.1 i believe that you can do redirect of unauthenticated traffic to a web auth address to authenticate the user and then allow them through the policy. This would be much cleaner as it means that you only need to open HTTPS through the policy. Have a look in the Concepts and Examples under authentication and web auth (Chapter 4 page 49).

 

I have not had a chance yet to try this so give it a go and let me know if it works.

 

Hope this helps 

 

Regards

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008

Re: AUthentication Window does not pop-up

Hi,

 

-Make service object for ur required services like https, ping but also for one or all of services (http, telnet, ftp) using the command:

 set service https protocol tcp src-port 0-65535 dst-port 443 (for https)

 set service ping protocol icmp (for ping)

 set service http protocol tcp src-port 0-65535 dst-port 80 (for http)

 

-Make service group for all the services u created above

  set group service "services-for-auth"

  set group service "services-for-auth" add https 

  set group service "services-for-auth" add http

  set group service "services-for-auth" add ping

 

-In policy which u created for authentication, edit that policy and in Service select the service group "services-for-auth" which u have created above.

 

Hope this helps

Thanks 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Contributor
7wonders
Posts: 33
Registered: ‎07-08-2008
0

Re: AUthentication Window does not pop-up

Thanks Kashif & Andy, that really helps

 

-Ray

Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: AUthentication Window does not pop-up

Anyone experienced this on SRX (Web Auth unable to pop-up)?

 

Is there any kb or doc links, to reference for troubleshooting purposes?

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.